The airline industry takes cyber security very seriously. As CISO for Qantas Airlines, Darren Argyle’s job was to ensure that safety and security were central to all the company’s day to day operations.
Having spent the best part of 12 months in Australia, we took the opportunity to catch up with him to talk about how cybersecurity has changed, how security professionals can stay ahead of the game, and the future of recruitment within the industry.
How have the information security and cyber security industries changed since you started 20 years ago?
Darren Argyle: Twenty years ago, cybersecurity didn’t exist: it was called information security. When I first started out it was about protecting the perimeter: a ‘castle and moat’ approach to security. The CISO role didn’t exist either – you were an IT Security Manager or Security Manager. Rather than a boardroom role, it was a low-level technical role that sat within IT.
The role itself was essentially to keep the antivirus software going, to make sure signatures were updated, to ensure that firewalls were configured correctly. In those days, attackers were mainly script kiddies with no real criminal intent: they were simply interested in trying to outdo each other. The first virus I recall was ILOVEYOU, which was actually pretty effective in what it achieved: a global meltdown, but without the criminal or monetary element that you see nowadays.
Fast forward to today, and we’ve shifted away from that perimeter idea. The perimeter now, if you like, is a person’s identity. Businesses have invested a lot in protection, but the boundaries and possibilities have changed. 100% protection now no longer exists. Now, it’s about all companies recognising that security incidents do happen – and how the business detects and responds to these incidents has become more important.
IG: New technologies like AI and the Internet of Things (IoT) are gaining plenty of traction. What do you observe CISO’s doing to adopt these cutting edge technologies into business operations?
DA: I think it’s the same as anything new that comes into an enterprise. The crucial part for security has always been ensuring that everything is secure by design. Conversations need to be had at the very start of the integration process so that risks can be articulated to the relevant people from the outset.
One of the biggest challenges for all CISO’s today is shadow IT and digital teams that have been created without the knowledge of the CISO or the internal IT team.
As different business units try to become more agile, to innovate, to become more technically aware, they introduce new IT operations. For example, the marketing team may be looking to improve efficiency by introducing software robotics to speed up tasks, reduce costs or respond to customer challenges – which could create cybersecurity risks.
It’s important for security teams to get engaged into those new projects early enough. To do that, security teams need to build trust, and not block innovation by saying “that’s not secure, you can’t do that”, security will simply be bypassed in the future without a solid foundation of trust.
Security teams can benefit from the innovations harnessed by other departments, too; for example, taking advantage of the machine learning and advanced analytics, speeding up the detection of and response to threats within an environment.
IG: Cybersecurity isn’t just an IT issue, of course, it’s a business issue. How do businesses make sure that security is in the DNA of business?
DA: The CISO and the security team are the enablers, of course, but effective security needs a top down approach.
It’s simply not enough for the security teams to say, “these are the policies, this is our culture, it’s everyone’s responsibility” – that has to come from the CEO. The executive team are the role models, with the security team making everything happen: which includes educating the CEO and executive team so they understand how important it is to manage cybersecurity, and the impacts incidents can have on the business.
Previously, security was just generally seen as the cost of doing business. Now, it’s become a competitive advantage, and an investment in the brand. The smart companies are saying “breaches will still happen, but we can reduce their impact, defend our reputation, and increase trust amongst our customers.”
Trust is the key word here. Security on its own is a bit benign, but if you think about it in terms of trust, it demonstrates the impact the team can have on the business.
IG: You say that security incidents are unavoidable for all companies. Is there a right way and a wrong way to deal with them when they do happen?
DA: The most important thing is transparency. GDPR is driving plenty of transparency, introducing questions like “what are you doing with my data, how are you protecting it, what will you do if it’s breached, how will you inform me?”
Businesses have always feared the impact of data breaches on their reputation – which can potentially be more damaging than the breaches themselves. With GDPR looming, the penalties of non-compliance are greater than at present: up to 4% of annual turnover. If you don’t report a breach within 72 hours, the impact will be significant. I really do believe that we’ll start to see far more transparency in the future once GDPR comes into effect.
You also want your employees to be transparent, and focused on security. If they spot something – be it unsafe practices, suspicious online behaviour or strangers in the buildings – you want them to tell you proactively, and not be penalised for speaking up. Again, workplace culture is important: your culture needs to say that security is everybody’s responsibility.
IG: With such a rapid pace of change in the cybersecurity industry, what can companies do to stay informed of the latest trends?
DA: There are a number of things, starting with regularly connecting with peers – the CISOs in the local community within your country, and within your specific industry globally. It’s important to connect with peers in which you operate, building a network of information sharing. Typically in that group, you’ll find that somebody will start a conversation about something you haven’t heard before: your relationship allows you to ask the relevant questions, and that knowledge is shared amongst the whole group.
It’s also important to point out that it’s not just about the CISO being tuned into the latest trends,, but also the wider security team, it’s highly unlikely that there will be one person who knows everything. It’s important to define who looks after different elements of cybersecurity – application security, endpoint security, threats, intelligence and others – dividing those up among different leaders who can then specialise and focus on deeper learning.
Subscriptions to various thought leader organisations is a fantastic way of keeping abreast of what’s happening more globally – organisations like CEB and the Information Security Forum. Here, you find papers written by thought leaders as well as case studies from CISOs who have innovated in exciting ways.
Finally, staying close to your vendors is also key. Everybody uses a security vendor in some shape or form, and they have plenty of innovation to talk about. You need to keep all your vendors close and find out how they are working together to keep you secure.
IG: The talent shortage in cybersecurity is often talked about. Having been in Australia for the last 12 months, have you seen any difference between there and the UK?
DA: The talent shortage is more acute in Australia, without a doubt. The country’s population is 24 million versus 65 million in the UK, but beyond that, we just seem to have a chronic shortage of full-time employees.
This is because Australia has a huge culture of contracting, leading to a very transient workforce in cyber security. That becomes a challenge, as you want to keep that kind of IT within your company so workers fully understand the business context of the projects they’re working on. With employees moving fluidly in and out of the company, that business context is often lost, leading to far greater risk.
The second challenge is encouraging more women into the industry. I think it’s happening more in the UK – and certainly in the rest of the world – than in Australia, but the effort is becoming greater. Just this week, I’ve seen that Telstra are focusing efforts on increasing the appeal of the industry to women. There are grassroots initiatives in universities, colleges and even schools to tackle the issue, but we need things to happen more quickly.
IG: You touched on contracting. Why does this happen? Is it a business reluctance to take on full-time staff, or a failure to offer a proposition appealing enough to attract full-time employees?
DA: I’ve asked a number of contractors why they contract, and a typical response is, “Well, why wouldn’t I? I can earn more money, I have more flexibility, and I can move on to another contract relatively easily.” Some people simply don’t want to be tied in – and in Australia particularly, they don’t tend to do back-to-back contracts. They tend to take some time off for leisure between contracts.
The big brands still attract those looking for careers – often those who want steady employment while they raise a family. Conversely, though, you’ll find that when the kids grow up they want more flexibility – and they then move into contracting work.
IG: With all of this in mind, as a CISO, how do you go about attracting the right cybersecurity talent?
DA: This goes back to meeting people: going to conferences and engaging with the people there, plus the mentoring work that I do with various individuals.
Mentoring across departments within your own company is vital for driving the culture of succession planning. So, for example, it may be that you mentor someone in the operations team as opposed to security – but because they’re being mentored by a security person, they’re more likely to come into that role. Likewise, this can be done externally: I encourage people to mentor junior security professionals in other companies, in the hope that one day they’ll join the company we work for.
One of the things we’ve done to great effect in the companies I’ve worked for previously is to have cybersecurity champions or ambassadors within the company. Once they start to learn about the fact that there are shortages in security roles that have higher than average salaries, it’s easy to build up a pipeline of individuals interested in coming into cybersecurity.
We have a two-tier approach to cybersecurity hires. You need those you bring in as experienced hires, but you also need a pool of individuals who are new to the industry. With everything happening in cybersecurity recruitment, you can’t expect candidates to meet every item on the job description. You hire them for their curiosity and passion, then train them up.
Many thanks to Darren for his time, and his insight. If you’re looking for a new challenge in the cybersecurity industry, whether contract or permanent, take a look at the current opportunities available with identifi global.
